Skip to main content

SBOM generator for Python modules

Project description

SBOM4Python

The SBOM4Python is a free, open source tool to generate a SBOM (Software Bill of Materials) for an installed Python module in a number of formats including SPDX and CycloneDX. It identifies all of the dependent components which are explicity defined (typically via requirements.txt file) or implicitly as a hidden dependency.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Installation

To install use the following command:

pip install sbom4python

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbom4python [-h] [-m MODULE] [--exclude-license] [-d]
                   [--sbom {spdx,cyclonedx}] [--format {tag,json}]
                   [-o OUTPUT_FILE] [-g GRAPH] [-V]
optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -m MODULE, --module MODULE
                        identity of python module
  --exclude-license     suppress detecting the license of components

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of software bill of materials (sbom) to
                        generate (default: spdx)
  --format {tag,json}   specify format of SPDX software bill of materials
                        (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
  -g GRAPH, --graph GRAPH
                        filename for dependency graph

Operation

The --module option is used to identify the Python module.

The --sbom option is used to specify the format of the generated SBOM (the default is SPDX). The --format option can be used to specify the formatting of the SPDX SBOM (the default is Tag Value format but JSON format is also supported).

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but can be stored in a file (specified using --output-file option).

The tool attempts to determine the license of each module. This can be suppressed using the --exclude-license option in which case all licences are reported as 'NOASSERTION'.

The --graph option is used to generate a dependency graph of the components within the SBOM. The format of the graph file is compatible with the DOT language used by the GraphViz application.

Licence

Licenced under the Apache 2.0 Licence.

Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool are therefore reminded that they should assert the quality of any data which is provided to the tool.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

sbom4python-0.1.0-py2.py3-none-any.whl (41.7 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file sbom4python-0.1.0-py2.py3-none-any.whl.

File metadata

  • Download URL: sbom4python-0.1.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 41.7 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.1 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.57.0 CPython/3.9.11

File hashes

Hashes for sbom4python-0.1.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 0b4747c97beffa447cde4e7da9c54432105992fe8f9d16ed64dbd94dbf75896f
MD5 31441e7d40adc5e102156e183443ff01
BLAKE2b-256 d4cb1cf22ce16becde7e569ae6c3cbb8f0b7ff593e28953c5f8d656f755cea67

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page